1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
|
$Id: README 724 2012-02-09 14:18:30Z bw $
fwlogwatch is a security tool written in C by Boris Wesslowski originally for
RUS-CERT. It is a packet filter/firewall/IDS log analyzer with support for a
lot of log formats and has many analysis options. It also features realtime
response capabilities and an interactive web interface.
It is available at http://fwlogwatch.inside-security.de/
FEATURES
- General features:
- Can detect and process log entries in the following formats:
- Linux ipchains
- Linux netfilter/iptables
- Solaris/BSD/IRIX/HP-UX ipfilter
- BSD ipfw
- Cisco IOS
- Cisco PIX/FWSM/ASA
- NetScreen
- Elsa Lancom router
- Snort IDS
- Entries can be parsed from single, multiple and combined log files, the
parsers to be used can be selected.
- Gzip-compressed logs are supported transparently.
- Can separate recent from old entries and detects timewarps in log
files.
- Can recognize 'last message repeated' entries concerning the firewall.
- Integrated resolver for protocols, services and host names.
- Can do lookups in the whois database.
- Own DNS and whois information cache and GNU adns support for faster
lookups.
- Hosts, networks, ports, chains and branches (targets) can be selected
or excluded as needed.
- Support for internationalization (available in english, german,
portuguese, simplified and traditional chinese, swedish and japanese).
- Supports IPv6 (currently only the netfilter parser, dns cache and web
interface make use of it).
- Log summary mode:
- A lot of options to find and display relevant patterns in connection
attempts.
- Intelligent selection of certain fields (e.g. the host name column is
omitted and the host mentioned in the header of the summary if the log
is from a single host, the same happens with chains, targets and
interfaces).
- Output as plain text or HTML (W3C XHTML 1.1 with inline or linked CSS)
with limit and sort options.
- Can send summaries by email.
- Realtime response mode:
- The program detaches and stays in background as a daemon.
- For ipchains setups detection of necessary rules with logging turned on
can be configured.
- Can catch up reading existing entries to provide up-to-date state
information from program start on.
- Response can be a notification (in form of a log file entry, an email,
a remote winpopup message or whatever you can put into a shell script),
or a customizable firewall modification.
- The included response script adds a new chain for fwlogwatch to
ipchains or netfilter setups and attackers are blocked with new
firewall rules.
- Supports trusted hosts (anti-spoofing).
- The current status of the program can be followed and controlled
through a web interface.
The commented configuration file supports and explains all options and will
get you started quickly. Please read the man page for details on the
command line options.
PARSER NOTES
- Cisco PIX/ASA support focuses on denied packets, knows some permitted
packet log entries and ignores all other kinds of log entries. It
expects log entries as from a syslog host. If your PIX/ASA uses names
or objects in the log you can use the script asa-hosts.sh from the
contrib directory to extract them from a saved PIX/ASA configuration
and format them as a hosts file, which you can use to initialize the
dns cache. If fwlogwatch is not able to resolve the names it will
discard the corresponding log entries.
- The ipfilter parser does not support logs with resolved service names
and tcp/udp entries without ports.
- The Snort parser does not analyze portscan entries.
- The NetScreen parser does not recognize packet-filter-unrelated entries
and some icmp types which the NetScreen does not seem to recognize
itself...
INSTALLATION
- General
The Makefile assumes you use Linux, to compile on Mac OS X, Solaris,
OpenBSD, FreeBSD or IRIX look for the corresponding lines at the top of
the Makefile. fwlogwatch may also be compiled and run on Windows with
help of cygwin or mingw. You may want to have a look at main.h if you
want to change some default values.
flex is required to build fwlogwatch. Besides that a simple 'make' should
be enough to obtain a working binary. If your make (like the one on
OpenBSD) thinks flex can only produce files called lex.yy.c type make
several times, after all parsers are generated linking will work.
If you use the realtime response mode you will need to install fwlogwatch
with superuser permissions for certain configurations. If all you need is
read access to the system's standard log file (e.g. /var/log/messages)
you can use group permissions. You can also bind a nonprivileged port for
the status server. 'make install' will install the binary (in
/usr/local/sbin) and the man page, 'make install-config' will also
install a sample configuration file in /etc.
- Zlib/Gettext/GNU adns
If you define HAVE_ZLIB, HAVE_GETTEXT and HAVE_ADNS fwlogwatch will be
compiled with zlib, gettext and adns support. The output of fwlogwatch -V
will contain an overview of the compiler options used.
You will need the zlib compression library version 1.0.9 or newer and
it's header files to be able to use zlib support.
To enable the internationalization support you will need to have the
gettext package (sometimes with it's surroundings libtool, GNU m4,
autoconf and automake) installed.
The GNU adns library and header files must be installed to build fwlogwatch
with support for faster, asynchronous DNS lookups.
- Linux
For ipchains you will need at least kernel 2.2.10 (which you should have
updated for security reasons anyway), kernel versions before 2.2.10 don't
log enough.
BASICS (with examples for iptables)
- You should use a whitelist (meaning your firewall only allows connections
that are explicitly permitted and should be as specific as possible), so
create a packet filter with ACCEPT rules for all connections you need.
- Your default policies can be DROP if you want your firewall to block all
connections in case all rules are deleted:
iptables -P INPUT DROP
iptables -P FORWARD DROP
Otherwise you should add a DROP rule at the end of all chains:
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
- Before those DROP rules (or the end of chains with DROP policy) you
should have a LOG rule with some descriptive text like the context and
chain name:
iptables -A INPUT -j LOG --log-prefix "fw input drop "
iptables -A FORWARD -j LOG --log-prefix "fw forward drop "
So the last 2 lines in your INPUT, FORWARD and custom chains should be
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `fw forward drop `
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
- If you have a persistent log spammer drop his packets by inserting a DROP
rule before the logging rule above (or use the block response mode).
CONFIGURATION AND EXAMPLES
- You should make a configuration file for each function you want, look at
the included sample file, it should be easy to adapt to your needs.
- Command line example:
(The options are in the order they are mentioned in the text)
If you want very verbose generation of a HTML summary in the file
'log.html' of all packet filter entries at most one day old representing
at least two connection attempts with output including start and end
timestamps, time intervals, resolved IP addresses and service names and
with connections separated by protocol, source and destination ports and
TCP options using the files that match the expression "messages*.gz" as
input you would use the command
fwlogwatch -v -v -w -o log.html -l 1d -m 2 -t -e -z -n -N -p -s -d -y messages*.gz
- If you want to use fwlogwatch as a CGI, e.g. to have a quick look at
what happened in the last hour when you get a notification:
Copy the file fwlogsummary_small.cgi from the contrib directory to a
place where your web server can execute it (fwlogwatch must be reachable
and have enough permissions to read the log file).
- A script for generation of 8 general summaries (fwlogsummary.cgi) is also
included. You can use it as above or if you comment a few lines also on
the command line or from cron. It will use the output directory
/var/www/html/fwlogwatch as default. Look at the index.html file to
select the level of detail you want.
- Contrib also contains a web frontend written in PHP (fwlogwatch.php) to
apply fwlogwatch to selected files and test different options. Change the
header of the script to adapt it to your system (e.g. prefix of the log
file names, location of fwlogwatch).
- Sample init files (for Red Hat and openSUSE Linux systems) to start
fwlogwatch in realtime response mode at system start are also included.
- You might want to replace your /etc/services file by the one supplied
with nmap (http://www.insecure.org/nmap/), a lot more services will be
recognized, you can also add the ICMP types (don't assign one to type 0
since it is the ipchains default). The same applies to /etc/protocols,
you can use RFC 1700 (Assigned Numbers) to extend your version.
FEEDBACK
If you find a bug or have an idea for a new feature please send an email
to Boris Wesslowski <bw@inside-security.de>.
If you want to report a parser problem or submit unrecognized entries
please use the unrecognized entry submission page:
http://fwlogwatch.inside-security.de/unrecognized.php
|